Enforcing server authentication based on a hardware token

US 10,164,963 B2
Filed: 02/26/2016
Issued: 12/25/2018
Est. Priority Date: 10/23/2015
Status: Active Grant

First Claim

Patent Images

1. A method, comprising:

receiving, by a hardware token from a client device, a chain of certificates comprising a server certificate and a first root certificate authority (CA) certificate, each certificate in the chain of certificates comprising a public key and a signature;

verifying, by a cryptography application running in a memory of the hardware token, the chain of certificates by;

verifying, in an iterative manner and starting with the server certificate as a selected certificate, a signature of the selected certificate using a next public key of a next certificate in the chain of certificates, wherein the next public key is considered authenticated and is added to a list of public keys upon the successful verification of the selected certificate;

omitting authentication of the next public key and tagging the list of public keys as authenticated upon determining that the next public key is present in an authenticated list stored by the hardware token and has been used less than a predetermined number of times; and

determining that the chain of certificates is verified in response to tagging the list of public keys as authenticated;

authenticating, by the hardware token and based on the verified chain of certificates, a public key of the server certificate in the chain of certificates;

encrypting, by the cryptography application, a secret message using the authenticated public key of the server certificate in the chain of certificates to obtain an encrypted secret message; and

sending, by the hardware token, the encrypted secret message to the client device.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method may include receiving, by a hardware token from a client device, a chain of certificates including a server certificate and a first root certificate authority (CA) certificate. The method may further include determining, by the hardware token, to offload validation of one or more certificates in the chain of certificates to the client device, and verifying, by a cryptography application running in a memory of the hardware token, using a trusted root CA certificate stored in the hardware token, each certificate in the chain of certificates. The method may further include authenticating, by the hardware token and based on the verification, a public key of a server certificate, encrypting, by the cryptography application, a secret message using the authenticated public key of the server certificate to obtain an encrypted secret message, and sending, by the hardware token, the encrypted secret message to the client device.

Citations

15 Claims

1. A method, comprising:
- receiving, by a hardware token from a client device, a chain of certificates comprising a server certificate and a first root certificate authority (CA) certificate, each certificate in the chain of certificates comprising a public key and a signature;
  
  verifying, by a cryptography application running in a memory of the hardware token, the chain of certificates by;
  
  verifying, in an iterative manner and starting with the server certificate as a selected certificate, a signature of the selected certificate using a next public key of a next certificate in the chain of certificates, wherein the next public key is considered authenticated and is added to a list of public keys upon the successful verification of the selected certificate;
  
  omitting authentication of the next public key and tagging the list of public keys as authenticated upon determining that the next public key is present in an authenticated list stored by the hardware token and has been used less than a predetermined number of times; and
  
  determining that the chain of certificates is verified in response to tagging the list of public keys as authenticated;
  
  authenticating, by the hardware token and based on the verified chain of certificates, a public key of the server certificate in the chain of certificates;
  
  encrypting, by the cryptography application, a secret message using the authenticated public key of the server certificate in the chain of certificates to obtain an encrypted secret message; and
  
  sending, by the hardware token, the encrypted secret message to the client device.
- View Dependent Claims (2, 3, 4)
- - 2. The method of claim 1, wherein the memory of the hardware token is inaccessible to any software program external to the hardware token.
  - 3. The method of claim 1, further comprising:
    - using, by the client device, the encrypted secret message to establish a secure connection with a server named in the server certificate in the chain of certificates.
  - 4. The method of claim 1, further comprising:
    - offloading, by the hardware token, non-cryptographic operations on one of or more certificates in the chain of certificates to the client device; and
      
      performing, by the client device the non-cryptographic operations on the one or more certificates in the chain of certificates.

5. A system, comprising:
- a client device configured to;
  
  receive, over a network, a chain of certificates comprising a server certificate and a first root certificate authority (CA) certificate, each certificate in the chain of certificates comprising a public key and a signature; and
  
  a hardware token, communicatively associated with the client device, comprising a memory and a cryptography application running in the memory, the hardware token configured to;
  
  receive, from the client device, the chain of certificates;
  
  verify the chain of certificates by;
  
  verifying, in an iterative manner and starting with the server certificate as a selected certificate, a signature of the selected certificate using a next public key of a next certificate in the chain of certificates, wherein the next public key is considered authenticated and is added to a list of public keys upon the successful verification of the selected certificate;
  
  omitting authentication of the next public key and tagging the list of public keys as authenticated upon determining that the next public key is present in an authenticated list stored by the hardware token and has been used less than a predetermined number of times; and
  
  determining that the chain of certificates is verified in response to tagging the list of public keys as authenticated;
  
  authenticate, based on the verified chain of certificates, a public key of the server certificate in the chain of certificates;
  
  encrypt a secret message using the authenticated public key of the server certificate in the chain of certificates to obtain an encrypted secret message; and
  
  send the encrypted secret message to the client device.
- View Dependent Claims (6, 7, 8, 9, 10)
- - 6. The system of claim 5, wherein the hardware token is further configured to:
    - determine whether the next certificate in the chain of certificates corresponds to an authenticated certificate stored in the hardware token; and
      
      tag the list as authenticated based on the determination that the next certificate corresponds to the authenticated certificate.
  - 7. The system of claim 6, wherein a first certificate in the chain of certificates is the server certificate, and wherein the authenticated certificate is a trusted root CA certificate stored in the hardware token.
  - 8. The system of claim 5, wherein the memory of the hardware token is inaccessible to any software program external to the hardware token.
  - 9. The system of claim 5, wherein the client device is further configured to use the encrypted secret message to establish a secure connection with a server named in the server certificate in the chain of certificates.
  - 10. The system of claim 5, wherein:
    - the hardware token is further configured to offload non-cryptographic operations on one or more certificates in the chain of certificates to the client device; and
      
      the client device is further configured to perform the non-cryptographic operations the on one or more certificates in the chain of certificates.

11. A non-transitory computer readable medium comprising instructions that, when executed by a processor, cause the processor to execute the steps of:
- receiving, by a hardware token, from a client device, a chain of certificates comprising a server certificate and a first root certificate authority (CA) certificate, each certificate in the chain of certificates comprising a public key and a signature;
  
  verifying, by a cryptography application running in a memory of the hardware token, the chain of certificates by;
  
  verifying, in an iterative manner and starting with the server certificate as a selected certificate, a signature of the selected certificate using a next public key of a next certificate in the chain of certificates, wherein the next public key is considered authenticated and is added to a list of public keys upon the successful verification of the selected certificate;
  
  omitting authentication of the next public key and tagging the list of public keys as authenticated upon determining that the next public key is present in an authenticated list stored by the hardware token and has been used less than a predetermined number of times; and
  
  determining that the chain of certificates is verified in response to tagging the list of public keys as authenticated;
  
  authenticating, by the hardware token and based on the verified chain of certificates, a public key of the server certificate in the chain of certificates;
  
  encrypting, by the cryptography application, a secret message using the authenticated public key of the server certificate in the chain of certificates to obtain an encrypted secret message; and
  
  sending, by the hardware token, the encrypted secret message to the client device.
- View Dependent Claims (12, 13, 14, 15)
- - 12. The non-transitory computer readable medium of claim 11, further comprising instructions that, when executed by the processor, further cause the processor to execute the steps of:
    - determining whether the next certificate in the chain of certificates corresponds to an authenticated certificate stored in the hardware token; and
      
      tagging the list as authenticated based on the determination that the next certificate corresponds to the authenticated certificate.
  - 13. The non-transitory computer readable medium of claim 12, wherein a first certificate in the chain of certificates is the server certificate, and wherein the authenticated certificate is a trusted root CA certificate stored in the hardware token.
  - 14. The non-transitory computer readable medium of claim 11, wherein the memory of the hardware token is inaccessible to any software program external to the hardware token.
  - 15. The non-transitory computer readable medium of claim 11, further comprising instructions that, when executed by the processor, further cause the processor to execute the steps of:
    - offloading, by the hardware token, non-cryptographic operations on one or more certificates in the chain of certificates to the client device; and
      
      causing the client device to perform the non-cryptographic operations the on one or more certificates in the chain of certificates.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Oracle International Corporation (Oracle Corporation)
Original Assignee
Oracle International Corporation (Oracle Corporation)
Inventors
Ponsini, Nicolas, Vetillard, Eric
Primary Examiner(s)
Hirl, Joseph P
Assistant Examiner(s)
Beheshti Shirazi, Sayed Aresh

Application Number

US15/055,410
Publication Number

US 20170118196A1
Time in Patent Office

1,033 Days
Field of Search
US Class Current
CPC Class Codes

H04L 63/0442   wherein the sending and rec...

H04L 63/0823   using certificates cryptogr...

H04L 9/14   using a plurality of keys o...

H04L 9/3234   involving additional secure...

H04L 9/3265   using certificate chains, t...

Enforcing server authentication based on a hardware token

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

15 Claims

Specification

Solutions

Use Cases

Quick Links

Enforcing server authentication based on a hardware token

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

15 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links